Henley Lodge

Privacy Policy

---

Information that we collect
The information we collect from you has one purpose, to enable us to provide you with our hotel services and products; to do that we need to process your personal data such as your name, company, billing address, home address, telephone numbers, hotel and room number, email addresses, nationality etc.  You may also use one of our third-party services to send information to us such as booking sites and secure card payment services.

We do not collect any special categories of information or ‘sensitive personal data’ about you (Guest) apart from medical or health information where you (Guest) have advised us of this to request special assistance or reasonable adjustment. We store this information to provide the assistance requested and the necessary assistance and information in case of an emergency evacuation.

For the protection of our guests and team, CCTV is in operation inside and around the perimeters of our hotels. Your image may be collected by the CCTV if you visit our premises. We process CCTV footage in accordance with surveillance regulations. If you want to understand more about how we process CCTV footage and protect the records, you can access our CCTV Policy on our website or request a copy from the Privacy Manager using the contact details at the beginning of this document.

How and when information is used
We may use your personal information for different purposes, for example:

- for marketing or to permit one of our third parties to do so, where you have given your consent to receive marketing information and for it to be shared with selected third parties
- to communicate with you by post, email, telephone and through social media platforms
- to monitor website use (see cookies and why we use them)
- to provide our services and products to you
- to keep you informed about the services and products you have purchased from us and to send information about products and services you may be interested in
- to help us develop new and improved products and services
- for security and to check your identity to comply with legal and regulatory obligations
- where we have a legitimate business interest such as for the protection of our business interests

Who we share your data with and why
We may share your personal information for the above purposes, where we have a legitimate interest in processing that information, or we have a legal obligation to do so. Processing may include international transfers but only to countries which have equivalent data protection laws or under Standard Contractual Clauses as approved by the ICO. Any transfer of personal data by us or one of our appointed data processors shall take place only if the following conditions are complied with:
- Transfers on the basis of the adequacy of data protection.
- Transfers are subject to the appropriate data protection safeguards through technical and organisational measures.
- If binding corporate rules apply (agreements governing transfers made between organisations within a corporate group).

Government and law enforcement agencies: We may be required by law to share your data with other organisations, such as the government or law enforcement agencies:
- to satisfy any applicable law, regulation, legal process, or governmental request
- to detect, prevent, or otherwise address fraud, security, or technical issues
- to protect our rights, property or safety, our users, and the public
This may include exchanging information with other companies and organisations for fraud protection and spam/malware prevention if required by law. If we do so we will always do so securely, and we won’t share more than we need to.

Our service providers: (including their sub-contractors). We may share your information with third party businesses and service providers who are providing services and products on our behalf that requires them to process your information. We will always ensure they follow similarly high standards to those followed by the Resident Hotels Group through contractual obligations, and where necessary, we will undertake Third Party data protection audits.

Your rights
The GDPR aims to give you more control of your data. It provides you with new and strengthened rights.

Right to access: you can ask us whether we’re processing your personal information, including where and for what purpose. You can also request an electronic copy of your personal information free of charge. If you require further copies of the information there may be a charge, where permitted by the legislation.

Right to restrict processing: in certain circumstances, you can ask us to restrict our use of your personal information.

Right to rectification: you can ask us to correct inaccurate personal information we hold about you.

Right to erasure (right to be forgotten): in certain circumstances, you can ask us to erase your personal information.

Right to data portability: you can ask us to provide you with a copy of your personal information in a commonly used electronic format so that you can transfer it to other businesses.

Right to object to automated decision-making: in certain circumstances, you can ask us not to make automated decisions about you based on your personal information that produce significant legal effects.

Right to lodge a complaint: you can lodge a complaint with the supervisory authority (ICO) but we ask that you allow us to see if we can resolve the problem first (See complaints and queries section).

This means you can at any time:

inform us of a correction to your personal information
withdraw any permission you have previously given to allow us to use your information
object to any automated decision-making
- ask us to stop or start sending you marketing messages
- ask us to send you (or someone you nominate) a copy of the information we hold about you
- ask us to stop using your information in certain circumstances

Subject Access Request (SAR)
You have the right to request a copy of the personal information we hold about you and to have any inaccuracies corrected. We will require you to prove your identity with 2 pieces of approved identification. We will use reasonable efforts consistent with our legal duty to supply, correct or delete personal information about you on our files.

We will need two forms of identification, which can be: passport, driving licence, birth certificate, utility bill (from last 3 months), current vehicle registration document or a bank statement (from last 3 months).

If you can advise of the specific information that you require, we can process your request more quickly. We will respond to your request within one month of you providing information that confirms your identity.

We will give you a description of your personal information we process, why we have it and who it is shared with. If requested, we will also provide it to you in a format that you can access easily.

If you wish to make a SAR request, please contact the Privacy Manager using the contact details provided at the beginning of this document and we will provide you with the necessary request documentation.



Retention of your data
We will keep your personal information for as long as we have a relationship with you. Once our relationship has come to an end, we will only retain your personal information for a period that is calculated based on the type of information we hold and the purpose for which we hold it. We maintain a Retention of Records Schedule to communicate our record retention requirements to all relevant staff and ensure information is not retained for longer than necessary.

We only retain information that enables us to:

maintain business records to comply with our contractual obligations
comply with record retention requirements under the law
defend or bring any existing or potential legal claims
maintain records of anyone who does not want to receive marketing from us
deal with any future complaints regarding services we have delivered
if required by law enforcement agencies


How We Protect Your Personal Information
We are committed to protecting your personal information. We take appropriate technical and organisational measures to guard against unauthorised or unlawful processing of your personal information and against accidental loss or destruction of, or damage to, your personal information.

The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. However, please bear in mind that IT infrastructure and the internet cannot be guaranteed to be 100% secure

We have access security measures in place and restrict access to databases only to those who need access appropriate to their job role.

All personal information and details provided to book or access any of our services or products are stored on secure servers or in access controlled physical filing systems. We do not store credit card numbers or related identifying financial information on any of our servers.

Digital information and hard copy information is securely disposed of when no longer required. This is conducted in line with our Information Security Policy and procedure.


Queries or complaints
We try to meet the highest standards when collecting and using your personal information. For this reason, we take any complaints we receive about this very seriously. Please get in touch if you think we are using or collecting your personal information in an inappropriate way.

---